Amazon S3 功能介绍

最新推荐文章于 2024-07-10 11:47:28 发布

can007

最新推荐文章于 2024-07-10 11:47:28 发布

阅读量2.7k

点赞数

本文链接：https://blog.csdn.net/can007/article/details/9026277

版权

本文详细介绍了Amazon S3的功能，包括存储过程、管理、S3功能、访问控制机制等。S3支持创建和管理桶，提供多种访问控制策略如IAM策略、ACL和桶策略。数据元具有生命周期管理、版本控制和数据加密等功能，还可用于存储静态网站并支持BitTorrent协议。文章还讨论了数据保护措施和如何发起请求。

摘要由CSDN通过智能技术生成

1 存储过程

创建用于存储数据元的桶，可以选择数据元所驻留的地区（目前来说，选择东京、新加坡会快些，美国本土更便宜），上传数据元到桶，进行持久化存储。另外，可以对上传的数据元及桶进行访问控制、加密等设置。每个AWS账户可以创建多个用户，用户可以对所拥有的数据进行上述权限控制。

目前可存储的你内容有：

(1)多媒体、音乐、图片

(2)视频监控文件

(3)医疗系统的档案、资料

(4)静态网站资料

2 管理

通过AWS管理控制台对数据进行控制。AWS控制台类似于EC2的web控制界面，或者通过API接口(Java、.Net)、REST接口编程实现。

3 S3功能简述

(1)创建桶、删除桶

(2)写入、读取、删除数据元，每个数据元的大小从1byte到5Tbyte

(3)根据用户密钥，查询桶信息及数据元信息

(4)选择数据所存储的地区，东京 or 新加坡 or 其他

(5)数据元的权限设置，可以向指定的用户开放，加密等

(6)使用基于REST和SOAP接口，提供JAVA，net的SDK

(7)便于添加其他功能，默认的下载协议是HTTP

(8)提供AWS管理平台，对数据进行管理

(9)在进行存储或者检索数据时，对数据进行校验和计算，验证是否损坏

(10)去冗余存储，用户可以自定义一些文件，比如缩略图、转码媒体等，使得这些文件的存储冗余副本数目低于标准的冗余副本数目

(11)数据源的访问日志记录，可用于审核等

(12)对数据元提供版本控制功能，用户可以恢复到之前的版本

4 访问控制机制

S3的访问控制机制，主要有四种。

(1) Identity and Access Management (IAM) 策略：

IAM让拥有多名员工的组织能够在一个AWS账户下创建和管理多个用户，通过IAM策略，可以授予指定的用户对桶和数据元的细化控制。

(2)访问控制列表(ACL)：

选择性的授予对个别数据元或者桶的特定权限。

(3)桶策略：

桶策略可以添加或者拒绝对单一桶内的部分或者所有数据元的权限。

(4)查询字符串身份验证：

根据此项的验证，能够通过仅在限定时间段内有效的URL共享数据元。

4.1 使用IAM策略

IAM策略就是AWS Identity and Access Management。使用此策略可以利用AWS账户创建多个用户，给这些用户分配证书、管理其权限。主要是针对用户的。类似的还有ACL和桶策略。下面是三者的对比表：

通过ACL，可以赋予其他的AWS账户相关权限来访问本账户所拥有的资源，通过IAM，只能赋予本AWS账户下创建的用户相关的访问权限。控制级别不一样。三者之间可以相互搭配，来组合安全策略。三者之间，在某些条件下也是等价的，比如：

在策略中，需要对objec 进行相关的action操作，就像上图中的PutObject一样，action列表如下。

Actions Related to Objects

s3:GetObject (covers REST GET Object, REST HEAD Object, REST GET Object torrent, SOAP GetObject, and SOAP GetObjectExtended)
s3:GetObjectVersion (covers REST GET Object, REST HEAD Object, REST GET Object torrent, SOAP GetObject, and SOAP GetObjectExtended)
s3:PutObject (covers the REST PUT Object, REST POST Object, REST Initiate Multipart Upload, REST Upload Part, REST Complete Multipart Upload, SOAP PutObject, and SOAP PutObjectInline)
s3:GetObjectAcl
s3:GetObjectVersionAcl
s3:PutObjectAcl
s3:PutObjectVersionAcl
s3:DeleteObject
s3:DeleteObjectVersion
s3:ListMultipartUploadParts
s3:AbortMultipartUpload
s3:GetObjectTorrent
s3:GetObjectVersionTorrent
s3:RestoreObject

Actions Related to Buckets

s3:CreateBucket
s3:DeleteBucket
s3:ListBucket
s3:ListBucketVersions
s3:ListAllMyBuckets (covers REST GET Service and SOAP ListAllMyBuckets)
s3:ListBucketMultipartUploads

Actions Related to Bucket Sub-Resources

s3:GetBucketAcl
s3:PutBucketAcl
s3:GetBucketCORS
s3:PutBucketCORS
s3:GetBucketVersioning
s3:PutBucketVersioning
s3:GetBucketRequestPayment
s3:PutBucketRequestPayment
s3:GetBucketLocation
s3:GetBucketPolicy
s3:DeleteBucketPolicy
s3:PutBucketPolicy
s3:GetBucketNotification
s3:PutBucketNotification
s3:GetBucketLogging
s3:PutBucketLogging
s3:GetBucketWebsite
s3:PutBucketWebsite
s3:DeleteBucketWebsite
s3:GetLifecycleConfiguration
s3:PutLifecycleConfiguration

同时，还有策略的Key值，可以根据策略的key来更加严格的控制资源。key值列表如下：

Action	Applicable Keys	Description
`s3:PutObject`	`s3:x-amz-acl`	The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3. Valid values: `private` \| `public-read` \| `public-read-write` \| `authenticated-read` \| `bucket-owner-read` \|`bucket-owner-full-control` \| `log-delivery-write`. Example value: `public-read`
	`s3:x-amz-copy-source`	The header that specifies the name of the source bucket and key name of the source object, separated by a slash (/). Used when copying an object. Example value: `/bucketname/keyname`
	`s3:x-amz-grant-read, s3:x-amz-grant-write, s3:x-amz-grant-read-acp, s3:x-amz-grant-write-acp, s3:x-amz-grant-full-control`	These conditions relate to the ACL-specific request headers the action supports. You can add a condition in your bucket policy to deny or grant the action based on the presence of these headers headers with specific values. For more information about the API and the request headers, go to PUT Object. For an example policy that uses these condition keys, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control .
	`s3:x-amz-server-side-encryption`	Allow the specific action only if `x-amz-server-side-encryption` header is present in the request and its value matches the specified condition. with Valid values: AES256 Example value: `AES256`
	`s3:x-amz-metadata-directive`	The header that specifies whether the metadata is copied from the source object or replaced with metadata provided in the request. If copied, the metadata, except for the version ID, remains unchanged. Otherwise, all original metadata is replaced by the metadata you specify. Used when copying an object. Valid values: `COPY` \| `REPLACE`. The default is `COPY`. Example value: `REPLACE`
`s3:PutObjectAcl`	`s3:x-amz-acl`	The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3. Valid values: `private` \| `public-read` \| `public-read-write` \| `authenticated-read` \| `bucket-owner-read` \|`bucket-owner-full-control` \| `log-delivery-write`. Example value: `public-read`
`s3:PutObjectAcl`	`s3:x-amz-grant-read, s3:x-amz-grant-write, s3:x-amz-grant-read-acp, s3:x-amz-grant-write-acp, s3:x-amz-grant-full-control`	These conditions relate to the ACL-specific request headers the action supports. You can add a condition in your bucket policy to deny or grant the action based on the presence of these headers headers with specific values. For more information about the API and the request headers, go to PUT Object acl. For an example policy that uses these condition keys, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control .
`s3:GetObjectVersion`	`s3:VersionId`	The version ID of the object being retrieved. Example value: `Upfdndhfd8438MNFDN93jdnJFkdmqnh893`
`s3:GetObjectVersionAcl`	`s3:VersionId`	The version ID of the object ACL being retrieved. Example value: `Upfdndhfd8438MNFDN93jdnJFkdmqnh893`
`s3:PutObjectVersionAcl`	`s3:VersionId`	The version ID of the object ACL being PUT. Example value: `Upfdndhfd8438MNFDN93jdnJFkdmqnh893`
	`s3:x-amz-acl`	The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3. Valid values: `private` \| `public-read` \| `public-read-write` \| `authenticated-read` \| `bucket-owner-read` \|`bucket-owner-full-control` \| `log-delivery-write`. Example value: `public-read`
	`s3:x-amz-grant-read, s3:x-amz-grant-write, s3:x-amz-grant-read-acp, s3:x-amz-grant-write-acp, s3:x-amz-grant-full-control`	These conditions relate to the ACL-specific request headers the action supports. You can add a condition in your bucket policy to deny or grant the action based on the presence of these headers headers with specific values. For more information about the API and the request headers, go to PUT Object acl. For an example policy that uses these condition keys, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control .
`s3:DeleteObjectVersion`	`s3:VersionId`	The version ID of the object being deleted.